You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-WIllem van Gulik <di...@webweaving.org> on 2011/09/01 00:33:39 UTC
Re: Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Folks,
See below - for the 1.3 discussion - that suggest we should take it a notch down:
On 31 Aug 2011, at 22:35, Munechika Sumikawa wrote:
>>>> We're currently discussing this - and will propably adjust the
>>>> announcement a bit. It is vulnerable in that it can suddenly take a
>>>> lot more CPU, memory and resources when 'attacked'. And the response
>>>> is worse than pure linear. But unlike 2.0 and 2.2 it does not
>>>> exploded as exponential. So at this point I am expecting us to
>>>> conclude that 1.3 is 'as affected' as most other servers
>>>> implementing this protocol; not due to a fault in the code - but
>>>> more to a fault in the protocol desgin.
>>>>
>>>> Does that make sense ?
>>>
>>> Let me confirm the code. Apache 1.3 allocates only several bytes per
>>> each "byte-range" to record first-pos and last-pos. And the memory is
>>> released immediately after the HTTP session is disconnected. Thus,
>>> it's impossible a cracker succeed to DoS 1.3x server with the paranoia
>>> range header. Am I correct?
>>>
>>> If so, IMO Apache 1.3's behavior should be normal case. More
>>> complicated pattern based on the designed protocol eat up more
>>> resources than simpler pattern. That always happens in any protocols.
>>> (e.g. IP fragmentation)
>>>
>>> I think it's stll in scope of "linear" even though it's not "pure
>>> linear".
Which makes good sense. And looking at the default 1.3 configs on the standard platforms of that time - it is indeed not really apache which is at fault.
Dw.